Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Host Without Firewall
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Host Without Firewall
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Host Without Firewall
id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9
status: experimental
description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime
date: 2019-03-19
modified: 2025-11-01
# tags:
# - CSC9
# - CSC9.4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 DE.AE-1
# - ISO 27002-2013 A.9.1.2
# - ISO 27002-2013 A.13.2.1
# - ISO 27002-2013 A.13.2.2
# - ISO 27002-2013 A.14.1.2
# - PCI DSS 3.2 1.4
logsource:
product: qualys
detection:
selection:
event.category: 'Security Policy'
host.scan.vuln_name|contains: 'Firewall Product Not Detected'
condition: selection
level: low
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules-compliance/product/qualys/qualys_host_without_firewall.yml